PEAP+MSCHAP+AD (please help)
Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy. I'm trying to auth the user with PEAP+MSCHAP against AD. Kerberos and Samba have been properly configured and the server has been joined to the domain. From the command line: ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser password: NT_STATUS_OK: Success (0x0) ntlm_auth is properly working so it should work fine with FreeRadius. In the log below you'll find two auths performed by the same user in the same domain against the same FreeRadius server. In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails. In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access. Why if Windows sends the same user information only in the latter case user is able to get in? Does anyone know how to solve/troubleshoot this problem? Many thanks Hector ----- FREERADIUS LOG ------- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/private_key.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/certificate.pem" tls: CA_file = "/usr/local/etc/raddb/certs/ca.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded perl perl: module = "/opt/nac/bin/rad2vmps" perl: func_authorize = "authorize" perl: func_authenticate = "authenticate" perl: func_accounting = "accounting" perl: func_preacct = "preacct" perl: func_checksimul = "checksimul" perl: func_detach = "detach" perl: func_xlat = "xlat" perl: func_pre_proxy = "pre_proxy" perl: func_post_proxy = "post_proxy" perl: func_post_auth = "post_auth" perl: perl_flags = "(null)" perl: func_start_accounting = "(null)" perl: func_stop_accounting = "(null)" perl: max_clones = 32 perl: start_clones = 5 perl: min_spare_clones = 3 perl: max_spare_clones = 3 perl: cleanup_delay = 5 perl: max_request_per_clone = 0 Module: Instantiated perl (verify_mac) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "cistron" [/usr/local/etc/raddb/users]:1 Cistron compatibility checks for entry DEFAULT ... Module: Instantiated files (files) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:1645, id=38, length=149 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0202001601434f5250524f4f545c7467646f72686531 Message-Authenticator = 0x9bc11b6f6182f53f6428ad12c48d8f10 NAS-Port = 50001 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 38 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x67c75e29c6b4d8d32c662ce2d154d277 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=39, length=257 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0203007019800000006616030100610100005d0301457998f4e09ac05f33a934415945c7264b94c0701d13c0caab7fa36b0cc015282065c088fd4f3b7fdc5fed147045382b152c89d35916d5d2938f9dd648c55fa6d8001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x4fe4e78473480d0bdd990a665c67c62d NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x67c75e29c6b4d8d32c662ce2d154d277 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 3 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 080d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 39 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0104040a19c00000086a160301004a020000460301457998f53062b10c6041e3d6247d9f8189960a70e58063d2eb8416ca085f728a20c131ee8e347614dd96be74d24d8d0d56dffdbc25b8a27dded39fc3df92bb91d5000400160301080d0b0008090008060004b6308204b23082041ba003020102020a2e00e9e400000000002a300d06092a864886f70d0101050500306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345 EAP-Message = 0x532d4341301e170d3036313032303132323831305a170d3037313032303132333831305a307e311b301906092a864886f70d010901160c726f6f7440767074742e6368310b3009060355040613024348310d300b060355040813044265726e3121301f060355040a13185377697373636f6d20496e6e6f766174696f6e204c74642e3120301e06035504031317696e6f636573766d7073312e73776973737074742e636830819f300d06092a864886f70d010101050003818d0030818902818100bcbadc4b571f51a19389879c2df4b32045fd76516d1afb6b06f96374dac730116958664972ae66216bf6bb9530573daaf005e0ea7018020baa62471f EAP-Message = 0xf05d3288cec3d40eac124ef80047cc9c853b0f2a925ab042bd1e0ba961de60cc0f1aca95a38b7ca9362977ed79f29de2b83325ff9c8cc4c087b3a7c7283e6fc0c95e1f470203010001a382024430820240301d0603551d0e0416041402827c1fe6af65cb4ed510eee57c81f9845126b33081a80603551d230481a030819d80140531afcf5f726f0182cc53ee960e4a53f8687bf4a173a471306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403 EAP-Message = 0x130a494e4f2d4345532d4341821050dae873d6e1498e49c13dc445dc31f730818d0603551d1f048185308182303ea03ca03a8638687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f494e4f2d4345532d43412e63726c3040a03ea03c863a66696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c494e4f2d4345532d43412e63726c3081ce06082b060105050701010481c13081be305c06082b060105050730028650687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f696e6f63 EAP-Message = 0x6573616373322e636f7270726f6f742e6e65745f494e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x584c9a8d95626f74ada9c048f89febd5 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=40, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020400061900 Message-Authenticator = 0xcf9be95996c8d692195ff106f4f9ac5e NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x584c9a8d95626f74ada9c048f89febd5 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 40 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0105040619404f2d4345532d43412e637274305e06082b06010505073002865266696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c696e6f636573616373322e636f7270726f6f742e6e65745f494e4f2d4345532d43412e63727430130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181006a5fee48e1a8a5a43794cbaa520aaab4b9105add93c531bf8ce91f8374f08ae40dc04c03d7de7410b29bf3b64e97bf9af15be919096a8b04d021c615a763b01a05fbb572428830e1d1a2ad3cffcff079f524ce745cf8c9c7a2306d0f035eb7072ae63a EAP-Message = 0x92993d914ff7107b0ae9de3d3d4f19183f6b36383d91c57245f5cb694200034a30820346308202afa003020102021050dae873d6e1498e49c13dc445dc31f7300d06092a864886f70d0101050500306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345532d4341301e170d3035303831303136313232315a170d3135303831303136323134325a306f3128302606092a864886f70d0109011619696e6f2e68656c70646573 EAP-Message = 0x6b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345532d434130819f300d06092a864886f70d010101050003818d0030818902818100bcdaa85f50acb0a704320cd308fe56ed5fff84b4ad027b0f8590495c17b15657a52475d8a7e14122f423213dae283a61978f27fa938e14adcc4ff6df9680be9520f576d041923181498768ad8f4e6a2c4c846359444d1ffba19b61d9086ddaa0b74d5ea18dc315482e3e14f43f3c6e937de7029cd2c1de45833fd6c4cf26697d0203010001a381e23081df300b EAP-Message = 0x0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e041604140531afcf5f726f0182cc53ee960e4a53f8687bf430818d0603551d1f048185308182303ea03ca03a8638687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f494e4f2d4345532d43412e63726c3040a03ea03c863a66696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c494e4f2d4345532d43412e63726c301006092b06010401823715010403020100300d06092a864886f70d010105050003818100a3eea55c46c0fa3d1cac6fa04e EAP-Message = 0x91a9f530133facb67f69835f8e7b389fa2d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x02a27b743dbcf852e5d08c96ccf2522b Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=41, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020500061900 Message-Authenticator = 0xd6811650c78d31a1bbdf1865603d3648 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x02a27b743dbcf852e5d08c96ccf2522b NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 41 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010600701900dbff8395b2eecf4ff75d35aab631de6621a8a96949ad6f63abc615b5714293a8d4e23d6248cea124a8fce49a67f5bdef8bbf0cb12f58375bb72154f29bd69b8ed6df9ea14c1ed5d83bae339f1a23503923e1d7a4839f8139393a0ccfb5cce9fe1116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7aedd96540c2242a267e0424a4c9cbff Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=42, length=337 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020600c01980000000b6160301008610000082008041592edd109fc742430339b195f3331b296a316d33bc4a1d2ad4b8ee94d3f8b1dffc35e9e5c43f55a57cdf20ce0c9dbeca20f7845d878c6f99478055e2c44925b19832f4dd8733c3191d8a71b1d29f7ab23582096afd195e6f1d744171e72418851e9e26b960b3becca6d411b06d8a226063d6766f6a995958f05229a9a26b361403010001011603010020a5c032ec42c1f401f46d26a7beee41c9d7d53ca2a81b0f39eda4f53358a0785f Message-Authenticator = 0xcee410317912a566868d80e5464ecd6f NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x7aedd96540c2242a267e0424a4c9cbff NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 6 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 42 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0107003119001403010001011603010020fefca61bf40214a8674a24a744408e2795478ad43134b5d51fcda813c83db9f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84dbafc4fc829bf55dde2305fe57301d Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=43, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020700061900 Message-Authenticator = 0x68c215c3eec41520df4f6ec8077a54b2 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x84dbafc4fc829bf55dde2305fe57301d NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 43 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x01080020190017030100151c2a8c3c0c99b55e4921f4ba75e5c39e27c47f5011 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28cc94d72d7a29ad80708e0c77706331 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=44, length=190 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0208002d1900170301002220a8f31f4e1afb10a647d8177fc5d434c42609050977ee8eb3c2f8041f5807db237b Message-Authenticator = 0x473b21fd979924a3323bb151624d0f18 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x28cc94d72d7a29ad80708e0c77706331 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 8 length 45 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - DOMAIN\testuser rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of DOMAIN\testuser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to DOMAIN\testuser Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 8 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 44 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0109004219001703010037dfcb5591de4c7a22576166fe485dac01fa4bf329838e9a52075e34d60fb88a44b1ca1c1a613596f8f3229d76528804705cc80524c9d03a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33eadcfaac046aed67ca9098faaa2927 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=45, length=244 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x02090063190017030100585809205c332fd978f5caf5249f239c285a36684ac4b3db2a5c5126a9d83a48a4f0399ac6b9368cba8c23e91ea2b28643a5b679aa0ce0bc096fb91772d0e25bbb7ab8c1c393ad0a6ff1390f08fe575ec1f3aa65aa2d632aa2 Message-Authenticator = 0x973387facc75ffe21b452d6d0792f299 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x33eadcfaac046aed67ca9098faaa2927 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 99 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 77 f6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 9 length 76 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 03 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785' Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: leaving group MS-CHAP (returns reject) for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: leaving group authenticate (returns reject) for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 45 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010a00261900170301001b3ffcb99afafe29c89fa4affeb4d1e75070457ba622dfc56ec0f2c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa6d1473e96c7a14c29a8f17fc89a3671 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=46, length=183 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020a00261900170301001b0bcaa64a94c7d49ee3af36354ce0441251bb53a91d33b73f0d5953 Message-Authenticator = 0xe45d9f748e60859d612b2ed26966c765 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0xa6d1473e96c7a14c29a8f17fc89a3671 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=46, length=183 Sending Access-Reject of id 46 to 192.168.1.1 port 1645 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Cleaning up request 0 ID 38 with timestamp 457998f5 Cleaning up request 1 ID 39 with timestamp 457998f5 Cleaning up request 2 ID 40 with timestamp 457998f5 Cleaning up request 3 ID 41 with timestamp 457998f5 Cleaning up request 4 ID 42 with timestamp 457998f5 Cleaning up request 5 ID 43 with timestamp 457998f5 Cleaning up request 6 ID 44 with timestamp 457998f5 Cleaning up request 7 ID 45 with timestamp 457998f5 Cleaning up request 8 ID 46 with timestamp 457998f5 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.1:1645, id=47, length=149 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0202001601434f5250524f4f545c7467646f72686531 Message-Authenticator = 0x956d87ecbd35d2f1f9079f33f7e1238e NAS-Port = 50001 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 47 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c208d59dc2577205f327cbfac00af89 Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=48, length=257 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0203007019800000006616030100610100005d03014579990cb3f8c006d0888a660f8163cc33a6543ba8996c4c6436238f339115b620c131ee8e347614dd96be74d24d8d0d56dffdbc25b8a27dded39fc3df92bb91d5001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xeb43847282321ac0066c963b43b9c673 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x0c208d59dc2577205f327cbfac00af89 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 rlm_eap: EAP packet type response id 3 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 080d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 48 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0104040a19c00000086a160301004a0200004603014579990d967c1d56a8d185c7dc01abf8a6207c7b608b4b176311c434940cdd2d2097e122bab4dc1446d18733d8fc80cbaefc8e1e9e3226d4bef2a7bf35f0beb813000400160301080d0b0008090008060004b6308204b23082041ba003020102020a2e00e9e400000000002a300d06092a864886f70d0101050500306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345 EAP-Message = 0x532d4341301e170d3036313032303132323831305a170d3037313032303132333831305a307e311b301906092a864886f70d010901160c726f6f7440767074742e6368310b3009060355040613024348310d300b060355040813044265726e3121301f060355040a13185377697373636f6d20496e6e6f766174696f6e204c74642e3120301e06035504031317696e6f636573766d7073312e73776973737074742e636830819f300d06092a864886f70d010101050003818d0030818902818100bcbadc4b571f51a19389879c2df4b32045fd76516d1afb6b06f96374dac730116958664972ae66216bf6bb9530573daaf005e0ea7018020baa62471f EAP-Message = 0xf05d3288cec3d40eac124ef80047cc9c853b0f2a925ab042bd1e0ba961de60cc0f1aca95a38b7ca9362977ed79f29de2b83325ff9c8cc4c087b3a7c7283e6fc0c95e1f470203010001a382024430820240301d0603551d0e0416041402827c1fe6af65cb4ed510eee57c81f9845126b33081a80603551d230481a030819d80140531afcf5f726f0182cc53ee960e4a53f8687bf4a173a471306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403 EAP-Message = 0x130a494e4f2d4345532d4341821050dae873d6e1498e49c13dc445dc31f730818d0603551d1f048185308182303ea03ca03a8638687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f494e4f2d4345532d43412e63726c3040a03ea03c863a66696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c494e4f2d4345532d43412e63726c3081ce06082b060105050701010481c13081be305c06082b060105050730028650687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f696e6f63 EAP-Message = 0x6573616373322e636f7270726f6f742e6e65745f494e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7e54bdce3e0f83476c1d3cc8929b06e2 Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=49, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020400061900 Message-Authenticator = 0xdcf1f45087c3f55071c74f33303d6098 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x7e54bdce3e0f83476c1d3cc8929b06e2 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 11 modcall: leaving group authorize (returns updated) for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 11 modcall: leaving group authenticate (returns handled) for request 11 Sending Access-Challenge of id 49 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0105040619404f2d4345532d43412e637274305e06082b06010505073002865266696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c696e6f636573616373322e636f7270726f6f742e6e65745f494e4f2d4345532d43412e63727430130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181006a5fee48e1a8a5a43794cbaa520aaab4b9105add93c531bf8ce91f8374f08ae40dc04c03d7de7410b29bf3b64e97bf9af15be919096a8b04d021c615a763b01a05fbb572428830e1d1a2ad3cffcff079f524ce745cf8c9c7a2306d0f035eb7072ae63a EAP-Message = 0x92993d914ff7107b0ae9de3d3d4f19183f6b36383d91c57245f5cb694200034a30820346308202afa003020102021050dae873d6e1498e49c13dc445dc31f7300d06092a864886f70d0101050500306f3128302606092a864886f70d0109011619696e6f2e68656c706465736b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345532d4341301e170d3035303831303136313232315a170d3135303831303136323134325a306f3128302606092a864886f70d0109011619696e6f2e68656c70646573 EAP-Message = 0x6b407377697373636f6d2e636f6d310b30090603550406130243483121301f060355040a13185377697373636f6d20496e6e6f766174696f6e73204c7464311330110603550403130a494e4f2d4345532d434130819f300d06092a864886f70d010101050003818d0030818902818100bcdaa85f50acb0a704320cd308fe56ed5fff84b4ad027b0f8590495c17b15657a52475d8a7e14122f423213dae283a61978f27fa938e14adcc4ff6df9680be9520f576d041923181498768ad8f4e6a2c4c846359444d1ffba19b61d9086ddaa0b74d5ea18dc315482e3e14f43f3c6e937de7029cd2c1de45833fd6c4cf26697d0203010001a381e23081df300b EAP-Message = 0x0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e041604140531afcf5f726f0182cc53ee960e4a53f8687bf430818d0603551d1f048185308182303ea03ca03a8638687474703a2f2f696e6f636573616373322e636f7270726f6f742e6e65742f43657274456e726f6c6c2f494e4f2d4345532d43412e63726c3040a03ea03c863a66696c653a2f2f5c5c696e6f636573616373322e636f7270726f6f742e6e65745c43657274456e726f6c6c5c494e4f2d4345532d43412e63726c301006092b06010401823715010403020100300d06092a864886f70d010105050003818100a3eea55c46c0fa3d1cac6fa04e EAP-Message = 0x91a9f530133facb67f69835f8e7b389fa2d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3779029a8e48dc53a1d62d035f619fbd Finished request 11 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=50, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020500061900 Message-Authenticator = 0x83767edf44377d33a3ecde25cd988373 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x3779029a8e48dc53a1d62d035f619fbd NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 12 modcall: leaving group authenticate (returns handled) for request 12 Sending Access-Challenge of id 50 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010600701900dbff8395b2eecf4ff75d35aab631de6621a8a96949ad6f63abc615b5714293a8d4e23d6248cea124a8fce49a67f5bdef8bbf0cb12f58375bb72154f29bd69b8ed6df9ea14c1ed5d83bae339f1a23503923e1d7a4839f8139393a0ccfb5cce9fe1116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5f038edb0f8c3f8e06f0a5f23f410d7 Finished request 12 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=51, length=337 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020600c01980000000b6160301008610000082008036b1acf72df2a0e0aea88ccdca72785802c8e7cf7cc809cbc1cd2970526bddd05f407a1ba93a4c9ced40e5657569189acf8c3aa31d4066ad7d0485cdb25f33eee747cca76116a0f2531df2402036a15a8899a25e241056b7bbd467a074c4113184f88103702ec427de5614b21844988a02cee2ddc2f70bbc51c8a7363b6ed97e140301000101160301002047274e9ee0b53905bee7cbe41e7544504fe13dee7413181a9e75c5fb3db96dc3 Message-Authenticator = 0x330e5ade3dc6c1b98211db9a1749ee4e NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0xe5f038edb0f8c3f8e06f0a5f23f410d7 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 rlm_eap: EAP packet type response id 6 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 51 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0107003119001403010001011603010020ae982aadb0779708c8ac084a0c27220bd931ddd0dc1027d641df762da01e7c13 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x60cfa0a5edf7c174c3514cd7c7f65a7b Finished request 13 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=52, length=151 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020700061900 Message-Authenticator = 0xbf723e37c3551867e362981b36faa978 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x60cfa0a5edf7c174c3514cd7c7f65a7b NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 52 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010800201900170301001555db2701383a4dab60e28f0db0e824c4581a5671fe Message-Authenticator = 0x00000000000000000000000000000000 State = 0x852de9dd7e19d1a5c923bf08c10a13c2 Finished request 14 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=53, length=190 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0208002d1900170301002288a7cafb3268a1d1350f7c6ba7666503b80405e48ba79e8a7682b8ffd3e63a7f6dbc Message-Authenticator = 0x1b06f7ed2260a697d6b3be1df34d3c52 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x852de9dd7e19d1a5c923bf08c10a13c2 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 rlm_eap: EAP packet type response id 8 length 45 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - DOMAIN\testuser rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of DOMAIN\testuser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to DOMAIN\testuser Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 rlm_eap: EAP packet type response id 8 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 15 modcall: leaving group authenticate (returns handled) for request 15 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 15 modcall: leaving group authenticate (returns handled) for request 15 Sending Access-Challenge of id 53 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x0109004219001703010037427780b211d9581c91a92c2976cd7fb11800d9f8e18fc1dc475d70c0e3e1668a78ece916102069c7b5ed11416e729ce39933f80533fbc6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xded8de88766f4bccc413a3a23bcb5270 Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=54, length=244 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x02090063190017030100586094e3cc1d9e1f5856e8bccf4b82654c4ad75cd04c6a10fff6623b01356111bab02ff75ae23eb1c7b4aca810edccf35de1270f93ef9ff0e89440443ef866c918f23c945db147426c108f8ad6928e748d34bd10486dbe1a5f Message-Authenticator = 0xcf3d72e3d06990d7daa371a4a33f8053 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0xded8de88766f4bccc413a3a23bcb5270 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 rlm_eap: EAP packet type response id 9 length 99 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with db be Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 rlm_eap: EAP packet type response id 9 length 76 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 16 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: ae radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d' Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module "mschap" returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 16 modcall: leaving group authenticate (returns handled) for request 16 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 16 modcall: leaving group authenticate (returns handled) for request 16 Sending Access-Challenge of id 54 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010a004a1900170301003fef7905b2d4365d2237b81630423bc384d7bcb02b1b174a194bd45d2fd6cb233fe98fd93c30e1ebaa50e34ea3a409e352a990e1ed2c665b91344766a9f52135 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05c6c7c2066a6d23236f6a02c7b62783 Finished request 16 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=55, length=174 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020a001d1900170301001237f99735d4db2ad15b56ba7ca23d6bd3d6c4 Message-Authenticator = 0xb07169c8d70f58fe956cb729d91eb15f NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x05c6c7c2066a6d23236f6a02c7b62783 NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 rlm_eap: EAP packet type response id 10 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 91 d5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 rlm_eap: EAP packet type response id 10 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 17 modcall: leaving group authenticate (returns ok) for request 17 PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 17 modcall: leaving group authenticate (returns handled) for request 17 Sending Access-Challenge of id 55 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010b00261900170301001b92a97899d7d36a01ce0773c89ec1912d02c257d4c5bb24239e1b84 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x898f8d49a4dfd4d1e5c301eb592f532a Finished request 17 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:1645, id=56, length=183 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x020b00261900170301001b2b96f40aa3319766d8adf76e850b1f0bd44117041db965f51cf0b5 Message-Authenticator = 0x3f0853b193e36a8d7b85d734713703a0 NAS-Port = 50001 NAS-Port-Type = Ethernet State = 0x898f8d49a4dfd4d1e5c301eb592f532a NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 rlm_eap: EAP packet type response id 11 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Sending Access-Accept of id 56 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" MS-MPPE-Recv-Key = 0x1c8f0ede465ed8d7250bfd67396e340423ff2859327f38942b13a210030ad18c MS-MPPE-Send-Key = 0xc12ccf7491c816122c7a2bd30eb177d2add2b23897493492288f1647c850d06f EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DOMAIN\\testuser" Finished request 18 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 47 with timestamp 4579990d Cleaning up request 10 ID 48 with timestamp 4579990d Cleaning up request 11 ID 49 with timestamp 4579990d Cleaning up request 12 ID 50 with timestamp 4579990d Cleaning up request 13 ID 51 with timestamp 4579990d Cleaning up request 14 ID 52 with timestamp 4579990d Cleaning up request 15 ID 53 with timestamp 4579990d Cleaning up request 16 ID 54 with timestamp 4579990d Cleaning up request 17 ID 55 with timestamp 4579990d Cleaning up request 18 ID 56 with timestamp 4579990d Nothing to do. Sleeping until we see a request.
Hector.Ortiz@swisscom.com wrote:
Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.
In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.
In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access.
Why if Windows sends the same user information only in the latter case user is able to get in?
Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7
It failed because the client returned the wrong challenge
Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module "mschap" returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success
Whereas that worked. It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password.
Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius. There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.h.... Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me. About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense. There is no trick, this is a real problem I have. Thanks for any further assistance Héctor -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Freitag, 8. Dezember 2006 19:32 An: FreeRadius users mailing list Betreff: Re: PEAP+MSCHAP+AD (please help) Hector.Ortiz@swisscom.com wrote:
Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.
In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.
In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access.
Why if Windows sends the same user information only in the latter case user is able to get in?
Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7
It failed because the client returned the wrong challenge
Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module "mschap" returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success
Whereas that worked. It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hector.Ortiz@swisscom.com wrote:
Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius.
People do some surprising things on this mailing list... I saw that you had a domain called DOMAIN, which is not very common, and assumed "the worst" i.e. that you had edited the output.
There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.h.... Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me.
About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense.
There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us. As far as I can tell, your FreeRadius configuration looks correct. It's able to answer at least some MS-CHAP requests, and as you say there's no real difference as far as the server is concerned between and automatic or manual client login. This makes me suspect that there *is* a difference between such on the client side. Couple of other things you could try: netsh ras set tracing * enable ...on the windows client side, then inspect the logs (If memory serves they go do %WINDIR%/system32/tracing) Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're not trying to authenticate a trusted domain user? Finally, I see you've got the ntlm_auth helper set to: /opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} You could try removing the --domain argument completely - though you should not need to. You could obviously also bump the Samba debugging level for a failing login and inspect the samba logs.
Hi, I've followed Phil's advice and ran netsh ras set tracing * enable on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: [356] 12-11 13:11:49:953: RasEapGetIdentity [356] 12-11 13:11:49:953: ReadUserData [356] 12-11 13:11:49:953: ReadConnectionData [2052] 12-11 13:11:50:864: EapChapBeginMSChapV2 [2052] 12-11 13:11:50:864: ReadUserData [2052] 12-11 13:11:50:864: ReadConnectionData [2052] 12-11 13:11:50:864: EapChapBeginCommon [2052] 12-11 13:11:50:864: ChapBegin(fS=0,bA=0x81) [2052] 12-11 13:11:50:864: ChapBegin done. [2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf=00000000 [2052] 12-11 13:11:50:864: ChapCMakeMessage... [2052] 12-11 13:11:50:864: CS_Initial [2052] 12-11 13:11:50:864: EapMSChapv2MakeMessage [2052] 12-11 13:11:50:864: EapMSChapv2CMakeMessage [2052] 12-11 13:11:50:864: EMV2_Initial [2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf=10163023 [2052] 12-11 13:11:50:864: ChapCMakeMessage... [2052] 12-11 13:11:50:864: CS_WaitForChallenge [2052] 12-11 13:11:50:864: MakeResponseMessage... [2052] 13:11:50:864: GetChallengeResponse [2052] 13:11:50:864: RegisterLSA [2052] 13:11:50:864: GetChallengeResponse Success [2052] 13:11:50:864: GetChallengeResponse [2052] 13:11:50:864: RegisterLSA [2052] 13:11:50:864: GetChallengeResponse Success [2052] 12-11 13:11:50:864: GetChallengeResponse=0 02 09 00 47 31 16 91 4A BB 0F C1 CF 81 D2 AD 9F |...G1..J........| C6 FD FD D8 18 00 00 00 00 00 00 00 00 88 DF 78 |...............x| 8C 30 79 E0 53 C7 4C A6 19 5D EE 1A 00 8D 7C 2A |.0y.S.L..]....|*| C7 90 FF 88 36 00 44 4F 4D 41 49 4E 5C 54 45 53 |....6.DOMAIN\TES| 54 55 53 45 52 00 00 00 00 00 00 00 00 00 00 00 |TUSER...........| [2052] 12-11 13:11:58:985: EapMSChapv2MakeMessage [2052] 12-11 13:11:58:985: EapMSChapv2CMakeMessage [2052] 12-11 13:11:58:985: EMV2_ResponseSend [2052] 12-11 13:11:58:985: Got a Code Failure when expecting Response. Failing Auth [348] 12-11 13:12:22:314: EapMSChapv2End [348] 12-11 13:12:22:314: ChapEnd [2052] 12-11 13:12:39:816: RasEapGetIdentity [2052] 12-11 13:12:39:816: ReadUserData [2052] 12-11 13:12:39:816: ReadConnectionData [3496] 12-11 13:12:39:966: EapChapBeginMSChapV2 [3496] 12-11 13:12:39:966: ReadUserData [3496] 12-11 13:12:39:966: ReadConnectionData [3496] 12-11 13:12:39:966: EapChapBeginCommon [3496] 12-11 13:12:39:966: ChapBegin(fS=0,bA=0x81) [3496] 12-11 13:12:39:966: ChapBegin done. [3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf=00000000 [3496] 12-11 13:12:39:966: ChapCMakeMessage... [3496] 12-11 13:12:39:966: CS_Initial [3496] 12-11 13:12:39:966: EapMSChapv2MakeMessage [3496] 12-11 13:12:39:966: EapMSChapv2CMakeMessage [3496] 12-11 13:12:39:966: EMV2_Initial [3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf=10163023 [3496] 12-11 13:12:39:966: ChapCMakeMessage... [3496] 12-11 13:12:39:966: CS_WaitForChallenge [3496] 12-11 13:12:39:966: MakeResponseMessage... [3496] 13:12:39:966: GetChallengeResponse [3496] 13:12:39:966: GetDESChallengeResponse [3496] 13:12:39:966: GetDESChallengeResponse Success [3496] 13:12:39:966: GetMD5ChallengeResponse Success [3496] 13:12:39:966: GetMD5ChallengeResponse Success [3496] 13:12:39:966: GetChallengeResponse Success [3496] 12-11 13:12:39:966: GetChallengeResponse=0 02 09 00 47 31 94 01 2F 4B 82 44 97 AE AC 27 F6 |...G1../K.D...'.| 0E 95 AD C5 69 00 00 00 00 00 00 00 00 7D B8 B6 |....i........}..| 08 24 86 E1 D0 C4 3B FA CC 43 FB FA 6E F5 5D 9F |.$....;..C..n.].| 3E EE 9E A8 11 00 44 4F 4D 41 49 4E 5C 74 65 73 |>.....DOMAIN\tes| 74 75 73 65 72 00 00 00 00 00 00 00 00 00 00 00 |tuser...........| [3496] 12-11 13:12:40:176: EapMSChapv2MakeMessage [3496] 12-11 13:12:40:176: EapMSChapv2CMakeMessage [3496] 12-11 13:12:40:176: EMV2_ResponseSend [3496] 12-11 13:12:40:176: ChapMakeMessage,RBuf=10163023 [3496] 12-11 13:12:40:176: ChapCMakeMessage... [3496] 12-11 13:12:40:176: CS_ResponseSent [3496] 12-11 13:12:40:176: Message received... 03 09 00 2E 53 3D 30 36 42 39 38 32 31 34 43 38 |....S=06B98214C8| 43 36 30 44 43 37 42 37 32 38 34 44 34 34 41 41 |C60DC7B7284D44AA| 39 43 46 38 35 44 38 34 30 37 36 38 34 44 00 00 |9CF85D8407684D..| [3496] 12-11 13:12:40:176: Done :) [3496] 12-11 13:12:40:176: GetClientMPPEKeys [3496] 12-11 13:12:40:186: EapMSChapv2MakeMessage [3496] 12-11 13:12:40:186: EapMSChapv2CMakeMessage [3496] 12-11 13:12:40:186: EMV2_CHAPAuthSuccess [3496] 12-11 13:12:40:186: AllocateUserDataWithEncPwd [3496] 12-11 13:12:40:237: EapMSChapv2End [3496] 12-11 13:12:40:237: ChapEnd Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. Do you have any more ideas to try? Héctor -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Montag, 11. Dezember 2006 11:26 An: FreeRadius users mailing list Betreff: Re: AW: PEAP+MSCHAP+AD (please help) Hector.Ortiz@swisscom.com wrote:
Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius.
People do some surprising things on this mailing list... I saw that you had a domain called DOMAIN, which is not very common, and assumed "the worst" i.e. that you had edited the output.
There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.h.... Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me.
About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense.
There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us. As far as I can tell, your FreeRadius configuration looks correct. It's able to answer at least some MS-CHAP requests, and as you say there's no real difference as far as the server is concerned between and automatic or manual client login. This makes me suspect that there *is* a difference between such on the client side. Couple of other things you could try: netsh ras set tracing * enable ...on the windows client side, then inspect the logs (If memory serves they go do %WINDIR%/system32/tracing) Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're not trying to authenticate a trusted domain user? Finally, I see you've got the ntlm_auth helper set to: /opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} You could try removing the --domain argument completely - though you should not need to. You could obviously also bump the Samba debugging level for a failing login and inspect the samba logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hector.Ortiz@swisscom.com wrote:
on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows:
Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better)
Windows sends both domain and username, but only the manual login succeeds.
For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it?
Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally.
I've also tried other things on the client side:
Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same.
I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :(
Well, now I have to try things on the server side.
I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help
Hector.Ortiz@swisscom.com wrote:
About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense.
Windows is *not* sending the same information in both cases. Please go back and read the debugging output. In each case, Windows is sending a random challenge, and a "response" hash. The "response" hash depends on the challenge, password, and user name, so it is different for EVERY request. Look at the debugging output, and type in the "ntlm_auth" lines by hand on a command line (i.e. cut & paste from the debug output). One will succeed and one will fail. This is because Active Directory is deciding that one succeeds and the other fails. What is probably happening is that the Windows box is treating the user name as "user" in one case, and "DOMAIN\user" in the other. This means that the expected response calculated by Active Directory MAY use a different username than what the Windows client is using. The expected response is therefore not the same as what the Windows box sends, so authentication fails. As to how to fix it? I'm not sure. The Windows box appears to be doing something odd, and I don't know why. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Hector.Ortiz@swisscom.com -
Phil Mayers